Authentication protocols generally rely on private information held by entities in order to establish identity. In traditional systems, the private data may consist of a username and password pair, personal identification numbers (PINs) or cryptographic keys. Multi-factor authentication protocols generally require two or more kinds of identifying information such as information the entity knows (e.g., a username and password), something the entity has (e.g., a smart card or token), and information representing what the entity is (e.g., a fingerprint).
Metadata comprises auxiliary information relating to the identity or state of an entity involved in authentication. Examples of metadata include biometric data, sensor output, global positioning data, passwords or PINs and similar auxiliary information that may be used to construct a characterization of an entity's identity or state. Biometric data comprises measurements of physical characteristics of a user (e.g., fingerprints, retina, iris, voice and vein patterns) that are adequately unique to be used as a proof of identity.
Systems that rely on sensor output, however, may be vulnerable to forged sensor output; and while biometric systems utilize a potent property for authentication, they can face challenges relating to the exposure and/or loss of sensitive biometric data. Since a sensor transforms a measured physical characteristic into a binary string, which is stored (enrolled) by the computer system and then compared to the binary strings subsequently generated by the sensor upon authentication requests, without further measures the system cannot distinguish between a string returned from the sensor and a string supplied by an adversary without the sensor. Thus for example an adversary may attempt to observe the output of a biometric sensor for a particular user and “clone” the user by supplying the surreptitiously-obtained biometric data to the system. An adversary may similarly attempt to clone a user by reading biometric data stored in the system. Further, since the features utilized in biometric systems tend by definition to be substantially immutable, the compromise of a user's biometric data cannot be remedied in the way that a lost user password can simply be changed.
Characteristics that are unique and intrinsic to individual hardware devices (e.g., wire resistance, initial memory state, CPU instruction timing) can also be extracted and used as part of authentication protocols. A leading example of this is the physical unclonable function (PUF). A PUF function ƒ(c) maps an input domain (or challenges) c to an output range (or response) r, where the mapping is defined based on characteristics unique to the device computing ƒ(•). A circuit or hardware description of ƒ(•) may be identical across all devices, yet the mapping from the domain to the range will be unique based on the specific hardware device executing the circuit computing ƒ(•).
U.S. Pat. No. 8,577,091 to Ivanov et al. and U.S. Pat. No. 8,566,579 to Armstrong et al. describe authentication systems wherein intrinsic hardware characteristics (e.g., PUF output) as well as human biometrics are required to successfully complete an authentication, but neither provide a method for inexorably linking the PUF with the authentication or a method for handling non-sensitive sensor output.
Frikken et al. (“Robust Authentication using Physically Unclonable Functions,” Information Security, volume 5735 of Lecture Notes in Computer Science, pages 262-277, Springer, 2009) teach a method for combining metadata (e.g., PIN) into the input of a PUF, but does not provide an extension to arbitrary metadata (e.g., biometrics) or non-sensitive metadata (e.g., temperature, pressure).
Rust (editor) in “D1.1 Report on use case and architecture requirements,” Holistic Approaches for Integrity of ICT-Systems (2013) mentions the idea of merging biometric features with a cell-based PUF, but does not elaborate on a means for achieving this.
U.S. Patent Application Publication No. 20110002461 to Erhart et al. describes a method for authenticating sensor output by employing a PUF, which extracts unique characteristics of the physical sensor hardware. The method does not directly link the output of the sensor to the authentication of the hardware, however, and also requires that sensitive biometric sensor output leave the device.